Canmove, confirm
2,675
edits
Changes
→Security: noted security review, sorted security sections newest first
}
== Security ==
=== Discussion 2011-04-21 ===Jesse's concerns ===Added , added 2011-04-21.
I'm worried about having a full screen mode that does not require user permission. In particular, I have three concerns:
''Jesse 2011-08-18'': Interesting to note that IE previously had fullscreen=yes but [https://developer.mozilla.org/en/Window.open#Note_on_fullscreen removed it in WinXP SP2].
=== Discussion 2011-04-11 ===
Date of discussion: 2011.04.11
Security Concerns:
* Ability of website to enter fullscreen and pre-empt keyboard focus
* User interaction currently not required for entering full screen mode
* Fullscreen could be used as an attack vector
Responses:
* There is a mode called without keys that does not take keyboard input
* Focus is released on tab change or window change
Possible Remediations:
* ESC key should be used to exit, similar to other well known apps users are familiar with
* A user preference should be available for users to say allow full-screen or dis-allow full screen for a given URL domain (Ie. Popup or geolocation preferences)
* Possible use of some indicator to show a user they are in full-screen mode
* Possible use of permission manager
* Plug-ins should be disabled when in full-screen mode
To-Do
* Re-review as spec firms up and code begins to land
== Issues ==
